On 20/12/15 10:28, Gordon Messmer wrote:> On 12/19/2015 09:49 AM, Alice Wonder wrote: >> >> With third party repositories the key and configuration file is often >> distributed separately. That's the potential attack vector for trojan >> keys. > > Examples? > > All of the notable repositories that I'm aware of publish an > x-release.rpm that installs their key and yum repo file. But if your > concern is that users might manually install a repo file and public key, > then I don't see how modifying yum would change that. The attacker would > probably include a key that contains an address they control and > validates properly against it. > > In other words, I think the solution to the problem is simply to make > sure that the repositories publish their "release" rpm over https and > that documentation reflects the secure URL. I notice now that EPEL > links directly to the https URL for their release rpm, but their FAQ > still provides a command-line example for installation using an http URL. > > The FAQ should be updated. That method is a potential security problem > because it doesn't use https and doesn't check the package signature. > But the solution is simply to replace http with https in the FAQ. yum > isn't used to install the release package, and I think the solution is > to make sure that malicious release packages don't get installed, not to > try to behave well on a system where an attacker already installed > malicious data. >Unless I'm mistaken RPM in el5 does not support the https protocol.
On 12/20/2015 04:26 AM, Ned Slider wrote:> Unless I'm mistaken RPM in el5 does not support the https protocol.In that case, users should use curl or wget to retrieve the rpm over https before installing it.
On 12/20/2015 10:05 AM, Gordon Messmer wrote:> On 12/20/2015 04:26 AM, Ned Slider wrote: >> Unless I'm mistaken RPM in el5 does not support the https protocol. > > In that case, users should use curl or wget to retrieve the rpm over > https before installing it.Yes, but I've run into instance where curl does not work for https - for example I believe if ECDSA TLS certificate is being used on the server, curl doesn't work. Not sure about wget.
On 12/20/2015 4:26 AM, Ned Slider wrote:> Unless I'm mistaken RPM in el5 does not support the https protocol.did you mean Yum ? rpm is just a file format for packages, and a package installer program, its yum that does the network operations to fetch the packages, and as far as I understand it uses libcurl, so it should be able to support https -- john r pierce, recycling bits in santa cruz
On 12/20/2015 12:16 PM, John R Pierce wrote:> On 12/20/2015 4:26 AM, Ned Slider wrote: >> Unless I'm mistaken RPM in el5 does not support the https protocol. > > did you mean Yum ? rpm is just a file format for packages, and a > package installer program, its yum that does the network operations to > fetch the packages, and as far as I understand it uses libcurl, so it > should be able to support https > >RPM has ability to install a package over the network. rpm -i ftp://example.org/foo-2.2.noarch.rpm could be used to install that package, which may contain the key and yum configuration for a third party package. The point I'm trying to make though is that yum could benefit from the ability to verify the fingerprint in a key it is importing matches a DNS query for the user and domain the key claims to be for. Regardless of how the package was retrieved, this could prevent dishonest trojan keys from being imported, especially if DNSSEC validated the DNS query. -- -=- Sent my from my laptop, may not be able to respond timely